diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2014-07-10 03:32:23 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:52:57 +0200 |
| commit | c515d0adea0ce6408dfaa5719a3bbf3340da7d92 (patch) | |
| tree | 44b154d1b60fda8a263c987ed2161d08e4d627aa | |
| parent | 520ca74cdac5bc15b0d28f7a313730655c95d9c8 (diff) | |
Ensure have a TLS policy for each of our host we want to relay to.
| -rw-r--r-- | roles/common/tasks/mail.yml | 15 | ||||
| -rw-r--r-- | roles/common/templates/etc/postfix/tls_policy.j2 | 23 |
2 files changed, 23 insertions, 15 deletions
diff --git a/roles/common/tasks/mail.yml b/roles/common/tasks/mail.yml index e51dfef..56a012e 100644 --- a/roles/common/tasks/mail.yml +++ b/roles/common/tasks/mail.yml @@ -68,53 +68,42 @@ - name: Fetch Postfix's X.509 certificate # Ensure we don't fetch private data sudo: False fetch: src=/etc/postfix/ssl/{{ ansible_fqdn }}.pem dest=certs/postfix/ fail_on_missing=yes flat=yes tags: - genkey - name: Compile the static local Postfix database postmap: cmd=postalias src=/etc/aliases db=cdb owner=root group=root mode=0644 # We're using CDB - name: Delete /etc/aliases.db file: path=/etc/aliases.db state=absent -- name: Build the Postfix TLS policy map - sudo: False - # smtp_tls_fingerprint_digest MUST be sha256! - local_action: shell openssl x509 -in certs/postfix/{{ item }}.pem -noout -fingerprint -sha256 | cut -d= -f2 - with_items: groups.out | sort - register: tls_policy - changed_when: False - when: "'out' not in group_names" - tags: - - tls_policy - - name: Copy the Postfix TLS policy map template: src=etc/postfix/tls_policy.j2 dest=/etc/postfix/tls_policy owner=root group=root mode=0644 - when: "'out' not in group_names" + when: "'out' not in group_names or 'MX' in group_names" tags: - tls_policy - name: Compile the Postfix TLS policy map postmap: cmd=postmap src=/etc/postfix/tls_policy db=cdb owner=root group=root mode=0644 - when: "'out' not in group_names" + when: "'out' not in group_names or 'MX' in group_names" tags: - tls_policy - name: Start Postfix service: name=postfix state=started when: not (r1.changed or r2.changed or r3.changed or r4.changed) - meta: flush_handlers diff --git a/roles/common/templates/etc/postfix/tls_policy.j2 b/roles/common/templates/etc/postfix/tls_policy.j2 index b4fc453..d53b0a0 100644 --- a/roles/common/templates/etc/postfix/tls_policy.j2 +++ b/roles/common/templates/etc/postfix/tls_policy.j2 @@ -1,6 +1,25 @@ # {{ ansible_managed }} +# /!\ WARNING: smtp_tls_fingerprint_digest MUST be sha256! +{% if 'out' not in group_names %} [outgoing.fripost.org]:{{ postfix_instance.out.port }} fingerprint ciphers=high protocols=TLSv1.2 -{% for x in tls_policy.results %} - match={{ x.stdout }} +{% for h in groups.out | sort %} + match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} {% endfor %} +{% endif %} + +{% if 'MX' in group_names %} +{% if 'IMAP' not in group_names %} +[mda.fripost.org]:{{ postfix_instance.IMAP.port }} fingerprint ciphers=high protocols=TLSv1.2 +{% for h in groups.IMAP | sort %} + match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} +{% endfor %} +{% endif %} + +{% if 'lists' not in group_names %} +[antilop.fripost.org]:{{ postfix_instance.lists.port }} fingerprint ciphers=high +{% for h in groups.lists | sort %} + match={{ lookup('pipe', 'openssl x509 -in certs/postfix/'+h+'.pem -noout -fingerprint -sha256 | cut -d= -f2') }} +{% endfor %} +{% endif %} +{% endif %} |